Filter winlogbeat by eventID

PandKing · April 19, 2018, 9:23pm

Hi,

I am sending wineventlogs to logstash at about 60k/m and we need to send about 100 matching eventID's to an output.

It would be ugly to add 100 or statements to this filter and just wondering what the best way might be from a management and performance standpoint.

if [type]=="wineventlog" and "DC" in [tags] {

tatdat · April 20, 2018, 2:52am

Did you try this in winlogbeat config?
https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html#_literal_event_logs_event_id_literal
Enter EventID you need look like

winlogbeat.event_logs:
  - name: Security
    event_id: 4624, 4625, 4700-4800, -4735

PandKing · April 20, 2018, 4:56pm

Yea looked at that but it doesn't fit the business need.

I want to use logstash as my traffic cop.

Everything goes to ES
Critical events go to our monitoring solution.
Specific event ID's go to our SAS solution for PCI.

The first two are easy but the 3rd I have a list of about 100 event ID's to target.

wwalker · April 21, 2018, 3:00am

I know this is might be a bit longwinded but something like this should work:

output {
  if [field] =~ "(EventID1|EventID2|EventID3|etc...)" {
    output config....
  }
}

PandKing · April 22, 2018, 9:56pm

Yep that would do it,
Was hoping to find a way to pull out the list into a macro or something.

Like if [event_it] in $list type of expression so the list could be a managed flat file or something.

Thanks Walker i'll post results.

wwalker · April 22, 2018, 11:17pm

Based on the example documentation, it looks like you can use ranges as well. You may also be able to use regex or wildcard. I've not tried to get as granular as you are going so I don't really know what's possible.

PandKing · April 30, 2018, 8:00pm

Using eventcreate on windows to create an windows event_id of 999. I can see it in the debug logs and I can see it if I write it out to file without the filter but I CANNOT seem to get this rule to fire.
Any help would be appreciated.

  if [type]=="wineventlog" and [event_id]=="999" {
     file {
     path => "/opt/logs/logstash/%{host}-eventid.json"
     codec => "json_lines"
     }
    }
  if [type]=="wineventlog" and "DC" in [tags] {
    tcp {
    host => "loghost"
    port => "5142"
    mode => "client"
    codec => "json_lines"
    }

PandKing · April 30, 2018, 8:34pm

Update: Found a reply from Magnus Bäck on another post. event_id is a numeric type 'm' so you are required to used a non string match.
The question is how can I match multiple values.

[event_id]==999

system · May 28, 2018, 8:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.